Cyber Resilience for the Third Sector

Hints and Tips

Activity 1: Picking Stronger Passwords
How secure is your password?

Cyber criminals can use tools called password crackers to try and guess passwords. You can use a website to test the strength of passwords against the tools cyber criminals use.
1. Go to https://howsecureismypassword.net.
2. Type a password that you think might be easy to guess. It might just be a simple word and a number (for example “flowers15”)
3. Now, try something similar to a password you already use (but don’t type your actual password)
Picking a better password

The best way to choose a strong password is using three random words. This is called a passphrase. This works because the longer a password is the harder it is for a password cracker to guess.
1. Think of three random words. The words shouldn’t be related to each other, and they shouldn’t make sense in a sentence. Write them here.
  \______________ \______________ \______________
2. Go to https://howsecureismypassword.net and try typing your new passphrase. You can put a space between each of the words. Is it more secure now?
This is a great way of choosing a password, in fact this is the way recommended by GCHQ and the National Cyber Security Centre.
Activity 2: Spotting phishing attacks
How to spot a phishing attack

Social engineering is when cyber criminals manipulate people into giving up confidential information. This might be usernames, passwords, or other personal information like bank card details, dates of birth, or where you live.

A phishing attack is form of social engineering. It looks like an email or message that appears to be sent by someone you know, or a company you trust. However, really it’s been sent by cyber criminals who are impersonating that person or company. They hope that you will reply to their message, or will try to trick you into logging into a fake website or sending them sensitive or confidential information.

What might a phishing attempt look like?

Well it could look like something you’d normally encounter on a computer.

It could be through a message, or a friend request, or an advert. And this is called phishing, with a ph. They’re trying to fish some information from you, or have you click on something.

It’s not going to look dramatic like it might in a movie, your screen probably isn’t suddenly going to go red with a scary face and message. It’ll be much more personal, more human.

Spotting a phishing email

The National Cyber Security Centre have published these tell tale signs that could indicate a phishing attempt:
- Authority – They make themselves seem important, and trustworthy. They might pretend they know you, or your manager. They might be imitating someone you would normally trust. They might pretend to be from your bank, or a government department.
- Urgency – To build pressure or distress. They might set a deadline, or rush you into doing something – so you don’t have time to think about it clearly. Criminals often threaten you with fines or other negative consequences. They might threaten to close your account. Or they might say you need to contact them immediately to sort a problem
- Emotion – Does the message make you panic, fearful, hopeful or curious? Criminals often use threatening language, make false claims of support, or tease you into wanting to find out more. They’ll threaten you with something you probably really care about or make you want something.
If you spot one or more of these things – it might make you suspicious. Think of this as your checklist for spotting a social engineering attack
Reporting a phishing attack

The National Cyber Security Centre have set up a phishing email reporting service. They are asking members of the public to send them any messages they receive they think are suspicious. They’ll be able to investigate and take action.

Suspicious emails
If you received an email which you’re not quite sure about, you forward it to the Suspicious Email Reporting Service (SERS) at report@phishing.gov.uk

Suspicious text messages
Suspicious text messages should be forwarded to 7726. This free-of-charge number lets your provider to investigate the origin of the text and take action, if found to be malicious.
Activity 3: Securing your devices

Securing your devices

Phones and tablets allow staff to be able to work from home or out of the office. They’re portable and perfect for carrying to meetings But they also have their own risks like being lost, stolen. Your device can be exploited both remotely and physically, but by taking the steps outlined in this section, you can help protect your devices from many common attacks.

Here are some key things to remember:

Stay up to date: keep your software and apps up to date with the latest security patches, and never ignore an update
Be careful what you download: only download apps from official app stores and avoid using unknown or third-party applications
Stay with your device: Never leave your devices unattended and secure them with a screen lock (protects against physical attacks, shield your passcode, consider biometrics)
Look around you: Be aware of people around you, particularly when you’re using a device on the move (shoulder surfing)